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Information Superiority 


“The capability to coliect, process, [expioit], and disseminate an 
uninterrupted flow of information while exploiting or denying an 

adversary’s ability to do the same.’’ 
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Information Superiority is the Key to 21st Century Warfighting 

















































Trust in Cyberspace 
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Interconnection = Utility = Vulnerability 


































































The Challenge 



>Growing dependence on information systems 


> Rapid growth in computer networks 



> Vulnerability to int 


rnal attack 


SIPRNET Growth 

• 200% customer growth* 

• 600% growth in traffic* 

• 811 customers 

• 1,200 dial-up users 


Defense Department Systems 

• 2-3 Million Computers 

• 100,000 Local Area Networks 

• 100 Long-distance Networks 


Internet 


NIPRNET Growth 

• 20% customer growth* 

• 400% growth in traffic* 

• 1554 customers 

• 4,000 dial-up users 


Bill Cheswick 

© Lucent Technologies 


* Since 1996 



















The Target 




>The Defense Department relies on the Dll for: 

• Targeting 

• Command and Control 

• Support 

• Everything we do 

>Cyber attacks offer an asymmetric capability to: 

• Disrupt power distribution and telecommunications network 

• Destroy banking and financial records and systems (and 
destroy public faith in them) 

• Exploit sensitive private sector and government databases 

• Delay or stop transportation systems 

• Degrade ability to deploy, employ, and support military forces 




The Threat is Increasing 
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Increasing Level of Detected Activity 
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Watershed Events 




> Joint Vision 2010: How well fight in the 21st Century (Jul 96) 

• Information Superiority is the key enabler 

> Eligible Receiver 97 (Jun 97) 

• Demonstrated US infrastructure vulnerabilities 

> President's Commission on Critical Infrastructure 
Protection (Oct 97) 

• Administration position on CIP 

> Solar Sunrise (Feb 98) 

• Demonstrated real world problems predicted in ER 97 

> Presidential Decision Directive 63 (May 98) 

• National CIP Plan 

• National Infrastructure Protection Center (NIPC) 

> Moonlight Maze (Jan - Jun 99) 

> Publication of National Plan (Jan 00) 



Joint Vision 
2010 


CRITICAL 

Foundations 


PROTECITNC AMEFUCiVS 

imfxastsuctukSs 


flHtiaE'i CfmBlMln 

an CAtied IdiViUWlUc 



PCCIP Report 













What lA Incidents Told Us 


The Defense Information Infrastructure: 

> Inherent Vulnerabilities 
itwoitofTtetwor^s 

• Bui lt for convenien ce, "noFsecurity ^ 

• Unclassified networks vitirt5~^uppdrt and operations 

> Inadequate: 

• Configuration control or visibility 

• System administrator and user training 

• Built-in security or intrusion detection 

• Awareness of the threat 

> No one responsible for defense; no one with authority 
to direct defense 








DOD Organization for Defense 




The Interim Step 

Joint Task Force - Computer Network Defense 


JTF-CND will, in conjunction with the Unified 
Commands, Services, and Agencies, be 
responsible for coordinating and directing the 
defense of DOD computer systems and 
computer networks. This mission includes the 
coordination of DOD defensive actions with 
non - DOD government agencies and 

appropriate private organizations. 

- JTF-CND Charter, 4 December 1998 






DOD Organization for Defense 



Organization for the Future 
United States Space Command 



(U) USSPACECOM’s responsibilities include 
... effective 1 Oct 99, serving as military lead 
for computer network defense (CND) and 
effective 1 Oct 2000, computer network attack 
(CNA), to include advocating the CND and CNA 
requirements of all CINCs, conducting CND 
and CNA operations, planning and developing 
national requirements for CND and CNA, and 
supporting other CINCs for CND and CNA 

- Unified Command Plan 99 (S) 






JTF-CND Organization 
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* 1 - Chief 

* 5-Analysts 
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Relationships 

















































JTF-CND Component Forces 
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JTF-CND Component Forces 
provide visibility and 
directive authority over the 
DoD global backbone and 
service networks, plus 
reporting, fusion, and 
analysis capabilities 
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Army Component 
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Air Force Component 



























































Navy Component 






































Marine Component 
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The CND Problem 




> Recognition {what): how do we know something is happening? 

> Characterization {what is it): 

• Is it an intrusion, outage, or an attack? 

• How widespread is it? 

• Is it malicious? 

> Assessment (so what): What’s the effect on our ability to 
deploy, support, and employ military forces 

> Attribution {who): individual hacker, organized group, trans¬ 
national group, nation-state sponsored group 

> Response {what authorities and processes): 

• Law enforcement, counter-intelligence, traditional military 
operations 









Getting to Attribution 






Attribution ! 




































Getting to Attribution 





Law Enforcement 

Activity involves US 
citizens 

Pen register, trap and 
trace; wiretap 
Title III, FISA; EO 12333; 
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Effective CND requires efficient, 
synchronized use of all available tools 
and processes...and appropriate 
enabling laws and regulations 
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Why We ^re Concerned About Hackers 


> The real threat to DOD is not the hacker, but the 
structured state-sponsored organization 

> However... 

• Sometimes it’s hard to tell the difference - both 
use the same tools 

• Growing sophistication and availability of tools 
increases concern 

• We have to assume the worst until proven wrong 

> So... 

• We take seriously all unauthorized activity 

• We will use all technical and law enforcement tools 
to respond ... and deter 

• We will seek legal prosecution where appropriate 




• Malicious and intentional hacking that causes more than $5,000 damage is 
punishable by a maximum of five years in federal prison 

• Hackers also can be charged with violating federal wiretap laws, punishable 
by up to a 10-year prison term 
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Threat Characterization 






FIRST GENERATION: Common hacker tools and techniques 
used in a non-sophisticated manner. Lone or possibly 
small groups of amateurs without large resources. 

SECOND GENERATION; Non state-sponsored espionage or 
data theft. Common tools used in sophisticated manner. 
Individuals or small groups supported by resources of a 
business, criminal syndicate or other trans-national group, 
including terrorists. 

THIRD GENERATION: State-sponsored espionage. More 
sophisticated threat supported by institutional processes 
and significant resources. 



FOURTH GENERATION: Sophisticated state-sponsored CNA. 
State of the art tools and covert techniques backed-up by 
the resources of a nation-state. Actions being conducted in 
coordination with other arms of the nation 












USSPACECOM 

CONOPS 


JTF 

TTP 


VI 


V2 



V3 


Tactics, Techniques, 
AND Procedures 


Operational 

impact 













JTF Charter 
SECDEF 




JTF CONOPS 
Joint Staff 































































^ Unified Comma 
Joint Staff 






Reg^oiml 

(Operation 


Inform 
Coord ^nata 


CND Takes Place at All Levels 


Local 


Respond 


Global 
(Strategic) 


Respond 


CINCs 

Service / Regional 
CERTs/CIRTS 
Components 
Service Staffs 































JTF Operations Center 



























JTF Operations Center 




24x7 watch 

Co-located with DISA Global Network Operations Center 

and DOD CERT 

Convenient to NCS Nationai Coordination Center 
Reporting, fusion, analysis, response capabiiity 
Law enforcement center and inteiligence section with agency liaisons 

Extensive communications network 


















JTF-CND SIPRNET Homepage 
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INFOCON Process 


> Parallel to THREATCON process 

> Authorized by SECDEF 

> DOD level: 

• Recommended by CJTF-CND 
. Set by USSPACECOM 

• Subordinate commanders can set higher levels 

> Establishes defensive posture 

• Proactive based on assessed threat 

• Reactive based on observed threat 

> Some problems 

• Confusion over process 

• Specificity of measures 

• Conflicts in jurisdiction 


A value-added tool... Refinement Ongoing 







Achieving Information Assurance 


OPERATIONS 

Planning • Organization • Coordination 



Configuration • Command & Control 


Training 
Education g 
Certification O 

tn 

Retention 

Reliability 

PLi 



Availability 


Encryption 

^ Intrusion 
Detection 

^ Firew^alls 

® Unclassifiec 
Q Networks 

O Classified 
Networks 


Unclassified 

Networks 


We Must Implement Bach Piece 













DOD Approach: Defense In Depth 
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Firewalls 

Intrusion Detection 
Encrypted Circuits 
Procedural Restrictions 
Router Control 
Host & Network Monitoring 
Secure Facilities 
Secure Configuration 
Trained/Certified Personnel 
Security Clearance 
Connection Approval 
PKI 

JTF-CND, GNOSC, CERTS 
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Government Industry Academia 






































































The Future: 

lA Situational Awareness 






















SECURITY 


This document is from the holdings of: 

The National Security Archive 

Suite 701, Gelman Library, The George Washington University 
2130 H Street, NW, Washington, D.C., 20037 
Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu 



